Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

"Safe" Tell A Friend Script

Prevent Mis-Use By Spammers

2:54 pm on Jan 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 25, 2003
votes: 0

I'm thinking of modifying my board to have a "Tell A Friend" link by each post.

I have heard of spammers or other anti-e-social types using such scripts to forward spam or unpleasant messages.

Has anyone seen a "Tell A Friend" script & mailer that has reasonable protections against such mayhem? If so, where?


6:31 pm on Jan 22, 2005 (gmt 0)


WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
votes: 1

I moved this to Website Technology in the hope that it would get a little more activity. I'm a big fan of "tell a friend" functionality. If you search for "secure tell a friend script" you get some hits, but I'd be interested to see if someone has experience with the techniques needed to avoid rogue use.
6:38 pm on Jan 22, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member txbakers is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Sept 1, 2001
votes: 0

Hi. I wrote my own "Tell-a-friend" script which uses the users email address and name.

It prevents spamming since the outgoing email has the senders name and address on it, so it better be going to only friends.

That information comes from the database as part of their profile so they are not apt to spam.

7:08 pm on Jan 22, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 17, 2003
votes: 0

I'm glad you asked this because I'm wanting to do something similar so it made me think of something I hadn't thought about.

I think I'd definitely limit the fields to "email" and "sender's name".

Another thing I would do is limit the number of times a person could refer a link to someone to prevent malicious/annoying email. I'd also make sure there was no way the mailer worked unless the referer was from the page you have the "send to a friend" link on.

If you want the person sending the link to be able to enter their name, how about just limiting the "sender" field to 15 characters or so? If you want to prevent links from being sent, I'd use a string checker to check and make sure there's no "http://" or "www".

1:18 am on Jan 23, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Dec 13, 2002
votes: 0

As a (very) basic measure, you could create a md5 hash for the time (and additional seed words?) and have it as a hidden input on the tell-a-friend page, then, when the page is POST'd, you could compare the hash against the new time hash, and if its within 2 seconds, don't send it, assuming its spam. Not perfect by any means, but it may cull some of the more basic spam you might face.

Its late though, so someone will surely come along and point out all the flaws while I'm asleep :)


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members